EU AI Act Art.31 Operational Obligations of Notified Bodies: Conformity Assessment Conduct, Certificate Management, Subcontracting, and Coordination (2026)

Article 31 of the EU AI Act is the operational capstone of the notified body framework. Where Art.27 establishes the requirements a conformity assessment body must satisfy to be eligible for designation, and Art.28 governs the formal notification procedure, and Art.29 addresses how notification is modified or withdrawn when those requirements are no longer met, Art.31 answers a different question: what must a notified body actually do, day to day, to fulfil its role once it holds notified status?

The distinction between eligibility and operation is fundamental. Art.27 requirements are static conditions—a body either meets them at designation time or it does not. Art.31 obligations are dynamic—they govern continuous conduct across hundreds of individual conformity assessment activities, each involving different providers, different AI systems, and different risk profiles. Art.31 failures are therefore harder to identify than Art.27 failures and, in many cases, more practically significant: a notified body can satisfy all Art.27 requirements at the point of designation while systematically failing its Art.31 obligations in practice.

For AI system providers, Art.31 defines the standards against which notified bodies they engage are legally bound to operate. Understanding Art.31 is therefore not merely an academic exercise in regulatory architecture—it is the basis on which providers can evaluate whether a notified body is conducting a valid, legally defensible conformity assessment, or whether procedural and operational failures expose the resulting certificate to challenge under Art.30 or to regulatory action under Art.29.

The Position of Art.31 in the Notified Body Framework

The five-article notified body sequence in the EU AI Act operates as an integrated regulatory system:

• Art.27: Requirements — the eligibility conditions (independence, technical competence, quality management system, financial stability, staff qualifications) a conformity assessment body must satisfy before it can be designated and notified
• Art.28: Notification procedure — the formal process by which a notifying authority registers a designated body in NANDO, assigns a notified body number, and establishes the legal authority to issue CE conformity certificates
• Art.29: Changes to notifications — the enforcement mechanism by which notifying authorities suspend, restrict, or withdraw notification when ongoing Art.27 compliance fails
• Art.30: Challenge of competence — the procedure for contesting whether a notified body had the technical competence to conduct a specific assessment, initiated by any party with a legitimate interest
• Art.31: Operational obligations — the duties notified bodies must fulfil during the performance of conformity assessments and in the management of the certificates they issue

Art.31 is unique among these five articles in that it governs the core transactional relationship between a notified body and the providers whose systems it assesses. Art.27, Art.28, Art.29, and Art.30 all address aspects of the relationship between notified bodies and their national notifying authorities—or between national authorities and the Commission. Art.31 is where the notified body ecosystem connects to the market: to the providers who engage notified bodies, the AI systems being assessed, and the certificates that flow from that assessment activity.

Conduct of Conformity Assessments: The Art.31 Core

The foundational operational obligation under Art.31 is that notified bodies must conduct conformity assessments in accordance with the applicable conformity assessment procedures—principally the procedure in Annex VII to the EU AI Act, or the conformity assessment procedures in applicable Union harmonisation legislation for AI systems that are safety components in regulated products.

This obligation has several practical dimensions.

Procedure fidelity. The conformity assessment under Annex VII has two components: quality management system assessment and technical documentation assessment. The quality management system assessment examines whether the provider's QMS covers the obligations set out in Art.17—from design and development controls to post-market monitoring. The technical documentation assessment examines whether the technical documentation required under Art.11 and Annex IV adequately demonstrates that the high-risk AI system meets the applicable requirements in Arts.9 to 15.

Art.31 requires that both components be conducted with rigour appropriate to the risk profile of the system being assessed. A notified body that reduces the technical documentation review to a checklist exercise without substantive examination of the AI system's risk management approach, data governance framework, or accuracy and robustness metrics fails its Art.31 obligations regardless of whether it formally completes the required procedure steps.

Proportionality in assessment conduct. Art.31 explicitly requires notified bodies to adapt their assessment procedures in proportion to the size of the undertaking, the sector in which it operates, its structure, and the degree of complexity of the AI system concerned. This proportionality obligation runs in two directions.

For small and medium-sized enterprises developing high-risk AI systems, proportionality means that notified bodies cannot apply the same administrative burden as they would to a large technology company with established QMS infrastructure. Proportionate assessment means recognising that an SME's quality management system may be less formally documented while still being substantively effective—and that procedural observations about documentation format should not outweigh substantive findings about actual risk management quality.

For complex AI systems with novel architectures, high-impact deployment contexts, or non-standard risk profiles, proportionality means the opposite: more intensive examination is warranted, not less. A notified body that conducts a superficial assessment of a complex medical AI system on the basis that the provider is a large organisation with established QMS processes fails the proportionality requirement in the other direction.

Independence in each assessment. Art.31 requires that notified bodies conduct each assessment with the independence and impartiality required by Art.27. Independence is not a general status maintained at designation time—it must be actively preserved in each assessment activity. If personnel conducting a specific assessment have commercial relationships with the provider, have recently been employed by the provider, or have financial interests in the outcome, those specific personnel are disqualified from the assessment regardless of the notified body's general independence status.

Certificate Management: Issuance, Content, Validity, and Withdrawal

The certificate is the primary legal output of a notified body's work under the EU AI Act. Art.31 governs the certificate lifecycle from issuance through to suspension, restriction, or withdrawal.

Certificate content requirements. Certificates issued under Art.31 must contain:

• Identification of the notified body (name, NANDO number)
• Identification of the provider and the high-risk AI system assessed (including the version, intended purpose, and applicable risk category under Annex III)
• A statement that the system or the provider's quality management system meets the applicable requirements, with specification of which requirements were assessed
• Any conditions, restrictions, or limitations on the certificate's scope
• Reference to the applicable harmonised standards applied during the assessment
• The date of issue, the certificate number, and the validity period
• The notified body's authorised signature

Certificates that omit material elements—particularly conditions or scope restrictions that limit the legal authority conveyed—are operationally defective and may be challenged under Art.30 or subjected to market surveillance action.

Validity period and renewal. EU AI Act conformity assessment certificates are time-limited. The standard validity period for high-risk AI system certificates is five years from the date of issue. Notified bodies may issue certificates for shorter periods where the assessment reveals significant uncertainty about sustained compliance—for example, where an AI system's performance characteristics are likely to evolve substantially within five years, or where the provider's quality management system has been assessed as marginally compliant and requires more frequent review.

Certificate renewal requires a fresh assessment, not a mere administrative extension. A notified body that renews a certificate by confirming the previous assessment without substantive re-examination of the AI system and QMS as they exist at the time of renewal fails its Art.31 obligations. AI systems are not static—they are updated, retrained, deployed in new contexts, and subject to changes in the regulatory environment. Renewal assessment must engage with the system and QMS as currently constituted.

Registration in the EU AI database. Art.31 requires notified bodies to register each certificate issued, restricted, suspended, or withdrawn in the EU AI database established under Art.71. This registration requirement serves the market transparency function: providers, deployers, market surveillance authorities, and the Commission can verify the current status of any certificate issued for a high-risk AI system.

Registration must be completed promptly following issuance or change—not deferred or batched. Where a notified body issues a certificate with conditions or restrictions, those conditions must be accurately recorded in the database so that deployers and importers relying on the CE marking can understand the scope of the conformity assessment that underpins it.

Reporting refused and withdrawn certificates. Art.31 requires notified bodies to notify their national notifying authority when they refuse to issue a certificate, when they restrict or suspend a certificate, and when they withdraw a certificate. This reporting obligation is not discretionary—it serves the system-level regulatory intelligence function that allows notifying authorities to identify patterns of non-compliance across the market.

The reporting obligation extends to cases where a notified body identifies, during assessment, non-conformities that the provider subsequently addresses before the certificate is issued. These remediation sequences must be documented and retained even if the final outcome is a certificate without conditions. Documentation of remediation provides the evidentiary record needed if the certificate is subsequently challenged or if the system comes under market surveillance scrutiny.

Subcontracting: Permitted Scope and Non-Delegable Obligations

Art.31 permits notified bodies to subcontract specific conformity assessment activities to qualified external entities. This subcontracting permission reflects the practical reality that no single notified body can maintain in-house expertise across the full technical range of AI systems for which it may be designated—particularly given the interdisciplinary nature of AI risk assessment, which may require specialist knowledge in clinical medicine, aerospace engineering, autonomous vehicle dynamics, natural language processing, or computer vision depending on the system type.

However, Art.31 imposes strict conditions on subcontracting that limit both the scope of what can be delegated and the legal responsibility implications.

Permitted subcontracting. Notified bodies may subcontract specific technical tasks within a conformity assessment—for example, specialised testing of an AI system's performance in a specific domain, review of compliance with particular harmonised standards, or audit of specific components of a quality management system. Subcontracting of specific, bounded tasks is lawful provided the conditions below are satisfied.

Conditions for lawful subcontracting. Art.31 requires that:

• The subcontractor meets the applicable Art.27 requirements for the specific tasks being subcontracted. If the subcontracted task requires independence from the provider, the subcontractor must demonstrate that independence, not merely the notified body itself
• The provider must be informed of the intention to use subcontractors before the subcontracting occurs. Providers have a legitimate interest in knowing who will be examining their systems and whether any subcontractor presents conflict-of-interest concerns
• The notified body retains full legal responsibility for the entire conformity assessment, including all subcontracted components. This non-delegation of responsibility is absolute: a notified body cannot defend an assessment failure by pointing to a subcontractor's deficient work
• The notified body must verify and take responsibility for the work performed by subcontractors before incorporating their outputs into the assessment

Non-delegable activities. Art.31 does not permit notified bodies to subcontract the entire conformity assessment or its core decision-making components. The issuance of the conformity assessment certificate is a notified body function that cannot be subcontracted—the certificate must be issued under the notified body's authority, based on its own informed assessment of all components, including subcontracted work. The notified body's assessors must review, evaluate, and take professional responsibility for all subcontracted outputs before a certificate decision is made.

This non-delegation principle means that Art.30 challenges based on subcontracting failures are directed at the notified body, not at the subcontractor. The notified body is legally responsible for having engaged an unqualified subcontractor, for failing to verify the subcontractor's work adequately, or for failing to inform the provider.

Documentation and Record Retention

Art.31 requires notified bodies to maintain comprehensive documentation of all conformity assessment activities and to retain that documentation for a period sufficient to support post-certification scrutiny.

What must be documented. Notified bodies must document:

• The assessment procedure applied, including the specific Annex VII components addressed and the harmonised standards and technical specifications applied
• All technical examination activities, including testing conducted, systems accessed, data reviewed, and personnel involved
• The findings of the quality management system assessment and any observations or non-conformities identified
• Communications with the provider during the assessment, including requests for clarification, supplementary documentation provided, and any remediation actions taken
• The assessment team composition, including the qualifications and independence declarations of all personnel involved
• The certificate decision rationale, including how findings mapped to compliance determinations
• Any subcontracting used, including the identity of subcontractors, the tasks performed, and the verification of subcontractor outputs

Retention period. Documentation must be retained for a minimum period sufficient to support any post-certification review, market surveillance investigation, or Art.30 challenge. The EU AI Act does not specify a single retention period for all documents, but the practical standard—consistent with the certificate validity period plus the likely enforcement horizon—is ten years from the date the certificate ceases to be valid.

For certificates with a five-year validity period, this means documentation should be retained for fifteen years from the date of issue. Notified bodies operating across multiple product categories and member states must ensure their document management systems maintain accessibility across this full retention window.

Availability to national authorities. Documentation must be made available to the notifying authority and, where applicable, to market surveillance authorities on request and within reasonable timeframes. Notified bodies that cannot produce assessment documentation when requested—whether due to inadequate filing systems, loss of documentation during staff transitions, or systematic gaps in documentation practice—fail their Art.31 obligations independently of the quality of the assessments themselves.

Participation in Coordination Activities

Art.31 requires notified bodies to take part in the coordination activities organised under Art.38 of the EU AI Act. Art.38 establishes coordination arrangements for notified bodies operating under the AI Act, including the development of common interpretations, harmonisation of assessment practices, and exchange of experience across the notified body network.

EU AI Board notified body sub-group. The European Artificial Intelligence Board established under Art.65 includes a sub-group dedicated to coordinating notified body activities. Participation in this sub-group is not optional—Art.31 frames participation in coordination activities as an operational obligation rather than a voluntary contribution. Notified bodies that systematically decline to participate in coordination activities, fail to submit information requested for coordination purposes, or maintain assessment practices that deviate from coordinated approaches without justification fail their Art.31 obligations.

Harmonised standards and common positions. Coordination activities include the development of common positions on how harmonised standards apply to particular AI system types, how technical specifications should be interpreted across different national contexts, and how ambiguous assessment scenarios should be handled. Notified bodies must engage constructively with these processes, even where their initial assessment practice diverges from the emerging common position.

Peer review and quality comparison. Art.38 coordination may include peer review mechanisms by which notified bodies examine each other's assessment practices. Art.31 requires participation in such reviews when called upon. Notified bodies must treat peer review processes as professional obligations rather than competitive threats—the goal is systemic quality improvement across the notified body network, not competitive differentiation.

Art.31 × Art.43: The Conformity Assessment Procedure Integration

Art.43 of the EU AI Act specifies which conformity assessment procedure applies to each category of high-risk AI system. The Art.31 operational obligations are activated by and conditioned upon the procedure specified in Art.43.

Internal control (Annex VI). For most high-risk AI systems listed in Annex III—employment, education, credit scoring, biometric identification (with specified exceptions), AI systems managing critical infrastructure—Art.43(1) provides that providers conduct their own conformity assessment using the internal control procedure in Annex VI. No notified body is involved in Annex VI assessments. Art.31 obligations therefore do not apply where Art.43 routes assessment to Annex VI.

This scope limitation is significant: the EU AI Act's notified body framework applies to a smaller slice of high-risk AI systems than the broader Art.27-31 architecture might suggest. Notified bodies are primarily relevant for:

• AI systems that are safety components in products subject to Union harmonisation legislation (Annex I — medical devices, machinery, civil aviation, automotive systems, lifts, radio equipment, pressure equipment, in vitro diagnostic devices). For these, Art.43(3) and Art.43(4) require conformity assessment under the applicable Union harmonisation legislation, which typically involves notified bodies for third-party assessment categories
• Biometric identification systems — certain categories of real-time remote biometric identification systems require third-party conformity assessment
• General purpose AI models with systemic risk — separate provisions under Arts.51-55 may involve notified body activities where the GPAI model evaluation requires third-party technical assessment

Annex VII procedure (quality management + technical documentation). Where Art.43 routes assessment to Annex VII, the notified body conducts the full quality management system assessment and technical documentation review. Art.31 operational obligations apply in full: proportionate conduct, certificate management, documentation, subcontracting conditions, and coordination participation.

Significant changes and re-assessment. Art.43(4) requires that providers re-run the conformity assessment procedure when a high-risk AI system undergoes a substantial modification. Where the original assessment required notified body involvement, the re-assessment similarly requires notified body involvement. Art.31 obligations therefore apply to initial assessments and to all subsequent re-assessments following substantial modifications.

Art.31 × Art.27: Operational Fulfillment of Eligibility Requirements

Art.27 and Art.31 are structurally linked: the eligibility requirements in Art.27 define the organisational and procedural infrastructure that a conformity assessment body must have, and Art.31 operational obligations define what that infrastructure must be used to do.

Several Art.31 obligations are the operational expression of Art.27 requirements:

• Art.27 requires independence and impartiality. Art.31 requires that independence and impartiality be maintained in every assessment activity, not merely as a general organisational status. Art.31 therefore operationalises the Art.27 independence requirement as an assessment-level obligation
• Art.27 requires qualified staff. Art.31 requires that assessments be conducted by personnel with the competence appropriate to the specific AI system being assessed. This operationalises Art.27's staff requirement as a matching obligation: the staff conducting a particular assessment must have qualifications specific to that assessment's technical domain
• Art.27 requires a quality management system. Art.31 requires that the QMS be used to govern assessment activities—that procedures are followed, records are kept, subcontracting is managed through the QMS, and coordination activities are tracked within the QMS framework
• Art.27 requires professional liability insurance. Art.31 implicitly requires that insurance remains adequate in coverage as assessment volumes and certificate exposure increase

Art.31 failures are therefore often simultaneously Art.27 failures. A notified body that systematically fails its Art.31 documentation obligations is likely failing its Art.27 QMS requirement; a notified body that assigns unqualified personnel to specific assessments is likely failing its Art.27 staffing requirement. This overlap is why Art.29 enforcement—which is triggered by Art.27 requirement failures—is often the consequence of identified Art.31 operational failures.

OperationalObligationsTracker: Python Implementation

from dataclasses import dataclass, field
from enum import Enum
from datetime import date, timedelta
from typing import Optional

class CertificateStatus(Enum):
    ACTIVE = "active"
    SUSPENDED = "suspended"
    RESTRICTED = "restricted"
    WITHDRAWN = "withdrawn"
    EXPIRED = "expired"

class AssessmentProcedure(Enum):
    ANNEX_VI_INTERNAL = "annex_vi_internal_control"
    ANNEX_VII_NB = "annex_vii_quality_management"
    UNION_HARMONISATION = "union_harmonisation_legislation"

@dataclass
class ConformityAssessmentCertificate:
    certificate_number: str
    notified_body_nando_number: str
    provider_name: str
    ai_system_identifier: str
    annex_iii_category: str
    procedure: AssessmentProcedure
    issue_date: date
    validity_years: int = 5
    status: CertificateStatus = CertificateStatus.ACTIVE
    conditions: list[str] = field(default_factory=list)
    subcontractors_used: list[str] = field(default_factory=list)

    @property
    def expiry_date(self) -> date:
        return self.issue_date.replace(year=self.issue_date.year + self.validity_years)

    @property
    def documentation_retention_deadline(self) -> date:
        return self.expiry_date.replace(year=self.expiry_date.year + 10)

    @property
    def is_nb_involved(self) -> bool:
        return self.procedure != AssessmentProcedure.ANNEX_VI_INTERNAL

    def days_to_expiry(self) -> int:
        return (self.expiry_date - date.today()).days

    def renewal_alert(self) -> Optional[str]:
        days = self.days_to_expiry()
        if self.status != CertificateStatus.ACTIVE:
            return None
        if days <= 180:
            return f"Certificate {self.certificate_number} expires in {days} days — initiate renewal assessment"
        if days <= 365:
            return f"Certificate {self.certificate_number} expires in {days} days — plan renewal assessment"
        return None

@dataclass
class Art31ComplianceAssessor:
    notified_body_nando: str
    assessment_date: date = field(default_factory=date.today)
    certificates: list[ConformityAssessmentCertificate] = field(default_factory=list)

    def check_database_registration(self, cert: ConformityAssessmentCertificate) -> dict:
        issues = []
        if not cert.certificate_number:
            issues.append("Missing certificate number — EU AI database registration not possible")
        if cert.status == CertificateStatus.WITHDRAWN and not cert.conditions:
            issues.append("Withdrawal reason not documented — reporting to national authority incomplete")
        return {
            "certificate": cert.certificate_number,
            "compliant": len(issues) == 0,
            "issues": issues,
        }

    def check_subcontracting(self, cert: ConformityAssessmentCertificate) -> dict:
        issues = []
        if cert.subcontractors_used and not cert.is_nb_involved:
            issues.append("Subcontractors used for Annex VI internal control assessment — NB not involved so subcontracting scope must be clarified")
        for sub in cert.subcontractors_used:
            if not sub:
                issues.append("Subcontractor identity not recorded — provider notification requirement not verifiable")
        return {
            "certificate": cert.certificate_number,
            "subcontractors": cert.subcontractors_used,
            "compliant": len(issues) == 0,
            "issues": issues,
        }

    def generate_renewal_alerts(self) -> list[str]:
        alerts = []
        for cert in self.certificates:
            alert = cert.renewal_alert()
            if alert:
                alerts.append(alert)
        return alerts

    def expiring_documentation_windows(self) -> list[dict]:
        results = []
        for cert in self.certificates:
            days_to_retention_deadline = (cert.documentation_retention_deadline - date.today()).days
            if days_to_retention_deadline <= 365:
                results.append({
                    "certificate": cert.certificate_number,
                    "expiry": cert.expiry_date.isoformat(),
                    "retention_deadline": cert.documentation_retention_deadline.isoformat(),
                    "days_remaining": days_to_retention_deadline,
                })
        return results

    def full_compliance_report(self) -> dict:
        db_checks = [self.check_database_registration(c) for c in self.certificates]
        sub_checks = [self.check_subcontracting(c) for c in self.certificates]
        renewal_alerts = self.generate_renewal_alerts()
        return {
            "notified_body": self.notified_body_nando,
            "assessment_date": self.assessment_date.isoformat(),
            "total_certificates": len(self.certificates),
            "database_registration_issues": [c for c in db_checks if not c["compliant"]],
            "subcontracting_issues": [c for c in sub_checks if not c["compliant"]],
            "renewal_alerts": renewal_alerts,
            "documentation_retention_warnings": self.expiring_documentation_windows(),
        }

Art.31 Compliance Matrix

Provider Operational Checklist: Engaging Notified Bodies Under Art.31

Pre-Engagement (before contracting with a notified body)

1. Verify NANDO registration: confirm the notified body has an active NANDO number and that its scope covers your AI system's Annex III category and intended deployment context
2. Confirm Art.43 route: establish whether your system is subject to Annex VI internal control or requires Annex VII NB involvement — many Annex III systems do not require notified body assessment
3. Check for conditions in existing notifications: use the NANDO database to verify the notified body's notification has no restrictions that limit its scope for your system type
4. Review any Art.29 or Art.30 history: notifying authority records and EU AI database for the notified body's certificate history, including any prior suspensions or Art.30 challenge outcomes

Assessment Conduct Monitoring

1. Confirm assessment personnel qualifications: request CVs or professional profiles of personnel assigned to your assessment and verify they have domain expertise specific to your AI system type
2. Review proportionality application: if you are an SME, confirm the notified body has adapted its administrative requirements proportionately
3. Monitor independence declarations: request documentation that assessment personnel have made conflict-of-interest declarations for your specific assessment
4. Track subcontractor disclosures: any use of subcontractors must be communicated to you beforehand — verify identity, qualifications, and that the notified body retains responsibility

Technical Documentation Assessment

1. QMS coverage confirmation: verify the notified body's QMS assessment encompasses all Art.17 obligations — design controls, risk management, data governance, post-market monitoring
2. Technical documentation completeness: confirm the assessment addresses all Annex IV requirements, not just a selection of the most accessible items
3. Harmonised standards application: document which standards the notified body applied and verify they are the current applicable versions
4. Testing scope: confirm that AI system performance testing (accuracy, robustness, cybersecurity per Art.15) was conducted substantively, not merely by reviewing provider-submitted test results

Certificate Review

1. Content completeness: verify the issued certificate contains all required elements — NANDO number, system identifier, conformity scope, conditions, validity period
2. Conditions review: carefully review any conditions or restrictions attached to the certificate — these define the boundaries within which the CE marking is valid
3. EU AI database confirmation: verify the certificate is registered in the EU AI database with all conditions accurately reflected
4. Validity period: confirm the certificate validity period and calendar renewal assessment obligations before expiry
5. Substantial modification trigger: document what changes to your AI system would constitute a substantial modification requiring re-assessment under Art.43(4)

Ongoing Management

1. Post-market monitoring reporting: understand your obligations to report serious incidents and corrective actions to the notified body during the certificate validity period
2. Certificate suspension preparedness: have a contingency plan for continued deployment if the notified body's notification is suspended or restricted under Art.29
3. Documentation access: confirm the notified body's document retention commitments and your right to access assessment documentation if needed for market surveillance or litigation
4. Art.30 challenge right: document grounds on which you could bring an Art.30 challenge if the assessment quality proves deficient post-issuance
5. Renewal timeline: initiate renewal assessment at least 12 months before certificate expiry to avoid gaps in certified status
6. NANDO status monitoring: monitor the notified body's NANDO status for any changes to scope or notification conditions during the certificate validity period
7. Art.38 coordination awareness: track common positions emerging from Art.38 coordination that may affect how your system's compliance is assessed at renewal
8. Subcontractor verification: if subcontractors were used, verify the notified body can evidence their qualifications and your pre-assessment notification
9. Systematic deficiency detection: if you identify patterns suggesting the notified body is operating below Art.31 standards — inadequate documentation, unqualified personnel, scope exceedances — preserve evidence and consider whether Art.30 challenge grounds exist

See Also

• EU AI Act Art.30 Challenge of Competence of Notified Bodies: Procedure, Rights, and Regulatory Response (2026)
• EU AI Act Art.29 Changes to Notifications: Suspension, Restriction, and Withdrawal of Notified Body Status (2026)
• EU AI Act Art.28 Notification of Conformity Assessment Bodies: The NANDO Procedure, Commission Challenge Period, and Notification Content Requirements (2026)
• EU AI Act Art.27 Requirements Relating to Notified Bodies: Independence, Technical Competence, Quality Management, and the Notified Body Designation Framework (2026)
• EU AI Act Art.26 Obligations of Deployers of High-Risk AI Systems: FRIA, Human Oversight, Log Retention, Worker Information, and the Art.26(10) Fine-Tuning Deemed-Provider Trigger (2026)